PATENT 

IN THE CLAIMS 

Please cancel claims 1-5 and substitute the following new claims 6-10. 
What is claimed is: 

1 1. (cancelled) A w i de aroa network us i ng tho i ntornot as a backbone, compr i s i ng: 

2 a f i rst dod i catod li no coup l od to a f i rst part i c i pat i ng I SX/ I SP prov i der of 

3 i ntornot oocogg; 

4 a source routor hav i ng a channe l sorv i oo un i t hav i ng an output coup l od to 

5 sa i d f i rst dod i catod li no; 

6 a source f i rewa ll c i rcu i t hav i ng a f i rst port for coup li ng d i r e ct l y or through a 

7 l oca l aroa network to a f i rst dov i co for wh i ch commun i cat i on ovor sa i d w i do aroa 

8 network (horooftor WAN) i s dos i rod, and hav i ng a WAN i nterface coup l od to sa i d 

9 source routor d i rect l y or through a l oca l aroa network, said source f i rowa ll funct i on i ng 

I 0 to e ncrypt tho poy l oads of downstream WAN packets b ei ng transm i tted v i a tho WAN 

I I i nterface to sa i d source routor us i ng any encrypt i on method hav i ng a user definab l e 

1 2 key or koys, and for decrypt i ng tho pay l oads of any i ncom i ng upstream WAN packets 

1 3 arr i ving from sa i d oourco routor v i a sa i d WAN interface us i ng tho sam e encrypt i on 

1 4 method and user def i nab l e key or koys that w e re used to onorypt tho outgo i ng WAN 

1 5 pack e ts; 

1 6 ono or more routors of other part i c i pat i ng I SX/ I SP prov i ders of i ntornot 

1 7 serv i ces i nc l ud i ng a routor at an ondpo i nt part i c i pat i ng I SX/ I SP prov i der, sa i d routers 

1 8 funct i on i ng to i mp l ement a prodotorm i nod pr i vat e tunn el data path coup li ng a routor 

1 9 of sa i d f i rst I SX/ I SP to a routor of said ondpo i nt part i c i pat i ng I SX/ I SP prov i der 

20 through sa i d routors of sa i d part i c i pat i ng I SX/ I SP prov i ders; 

21 a dest i nat i on routor i nc l ud i ng a channe l serv i c e un i t coup l ed to or part of sa i d 

22 d e st i nat i on routor, sa i d dest i nat i on routor coup l ed through sa i d channe l serv i ce un i t 

23 and a cooond ded i cated li no to sa i d routor of sa i d ondpo i nt I SX/ I SP prov i der; 

24 a dest i nat i on f i rowa ll c i rcu i t hav i ng a WAN i ntorfaco couplod to sa i d 

25 d e st i nat i on routor d i rect l y or through a l oca l aroa network and hav i ng a sooond port 

26 for coupl i ng d i rect l y or through a l ocal aroa network to a dov i co for wh i ch 

27 commun i cat i on across sa i d w i do aroa network i s dos i rod, sa i d firowa ll funct i on i ng to 

28 encrypt tho pay l oads of upstream WAN packets bo i ng transm i tted through sa i d WAN 

29 intorfaco to sa i d dest i nat i on routor for transm i ss i on to sa i d souroo routor via sa i d 

30 pr i vate tunn el us i ng the samo encrypt i on mothod used by sa i d sourco firowa ll and the 

31 samo uoor d e f i nab l e key or koys usod by sa i d sourco f i rewa ll c i rcuit, and for 

32 d e crypt i ng any i ncom i ng packotc from sa i d sourco routor arr i v i ng from sa i d ondpo i nt 
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33 part i c i pat i ng I SX/ I SP prov i der us i ng tho sam e e ncrypt i on protoco l used by sa i d 

34 source firewa ll and tho samo us e r d e f i nab le k e y or keys used by sa i d sourc e f i rewa ll 

35 circu i t and transm i tt i ng tho dooryptod packets to sa i d second d e v i c e . 

1 2. (cancelled) A process for l aunch i ng downstream A l torWAN pack e ts addr e ssed to 

2 an A l t e rWAN dest i nat i on i nto a private tunn e l coup li ng two A l torWAN d e st i nat i ons us i ng tho 

3 i nt e rnet as a backbone and for l aunch i ng non A l torWAN packets i nto a norma l i ntornot traff i c 

4 rout i ng data path, compr i s i ng tho stops: 

5 rece i v i ng at a source f i rewa ll an i ncom i ng downstream w i de area network 

6 pack e t from a workstat i on or other dev i c e at a f i rst customer l ocat i on sa i d i ncom i ng 

7 downstream w i de area network packet bo i ng e i ther addressed to an A l t e rWAN 

8 dest i nat i on or not an AltorWAN packet; 

9 at sa i d source firewa ll , us i ng th e dest i nat i on address i n sa i d i ncom i ng 

I 0 downstream w i de area network packet to detorm i no i f sa i d pack e t i s addr e ssed to an 

I I A l torWAN dest i nat i on coup l ed to sa i d sourc e f i r e wa ll by a pr i vate tunne l us i ng tho 

1 2 i nt e rnet as a backbon e (hereafter referred to as an A l torWAN packet) or i s addr e ssed 

1 3 to somo non A l torWAN wobs i to or l ocat i on on tho i ntornot (horoaft e r ref e rred to as a 

1 4 non A l torWAN packet); 

1 5 i f sa i d packet i s an A l t e rWAN packet, encrypt i ng at sa i d source firewa ll tho 

1 6 pay l oad port i on thereof and forward i ng the encrypted A l t e rWAN packet to a source 

1 7 routor; 

1 8 i f sa i d packet i s a non A l torWAN packet, at sa i d oourco firewal l , forward i ng 

1 9 said non A l torWAN packet to said source routor w i thout encrypt i ng tho pay l oad 

20 port i on thereof; 

21 at sa i d sourc e routor, conv e rt i ng both said A l torWAN pack e ts and sa i d non 

22 A l torWAN packets i nto s i gna l s su i tab l e for transm i ss i on on a d e d i cat e d te l ephone li no 

23 or other transm i ss i on med i um coup li ng sa i d source rout e r to a spec i a ll y s ele cted first 

24 I SX/ I SP prov i der and transmitt i ng sa i d s i gna l s to sa i d spec i a ll y se l ect e d I SX/ I SP 

25 prov i der, sa i d specia ll y se l octod I SX/ I SP prov i der be i ng seloctod e i th e r because tho i r 

26 rout i ng tab l es aro such that A l torWAN packets wi ll natura ll y b e routed a l ong h i gh 

27 bandw i dth, l ow hop count data paths to tho next I SX/ I SP prov i der i n said v i rtua l 

28 pr i vate network or bocauso tho rout i ng tab l os of tho rout e r of sa i d f i rst I SX/ I SP 

29 prov i der hovo boon a l tered to i nsur e that A l torWAN packets got routed a l ong h i gh 

30 bandw i dth, l ow hop count data paths to tho n e xt I SX/ I SP prov i der a l ong sa i d pr i vate 

3 1 tunne l . 
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1 3. (Cancelled) An apparatus compr i s i ng: 

2 a dod i catod data path for coup li ng to a spec i a ll y go l ooted f i rst part i c i pat i ng 

3 I SX/ I SP prov i dor of i ntornot acooss; 

4 a f i rewa ll c i rcu i t hav i ng a f i rst port for coup li ng d i r e ct l y or through a l oca l ar e a 

5 n e twork to ono or moro dov i cos for wh i ch commun i cat i on over a w i do ar e a n e twork 

6 us i ng tho i nt e rn e t as a backbone i s dosirod, and hav i ng a second port, sa i d firewa ll 

7 funct i on i ng to to us e th e dest i nat i on oddrossos i n tho headers of e ach packot 

8 r e c ei ved from sa i d on e or mor e d e v i oos to d i st i ngu i sh b e tw e en A l torWAN packets 

9 wh i ch ar e packets addressed to dest i nat i on dev i ces coupled to sa i d firewa ll c i rcu i t v i a 

I 0 a pr i vate tunn el through tho i ntornot, and convent i ona l packets wh i ch are packets 

I I not address e d to d e st i nat i on dov i cos coup l od to sa i d firewa ll c i rcu i t v i a a pr i vate 

1 2 tunne l through tho i nt e rn e t, sa i d f i rowa ll c i rcu i t funct i on i ng to encrypt th e pay l oads of 

1 3 outgo i ng A l torWAN pack e ts us i ng one or moro predeterm i ned k e ys and an encrypt i on 

1 4 a l gor i thom, and send i ng sa i d encrypted A l torWAN packets to sa i d source router v i a 

1 5 sa i d second port, and funct i on i ng to forward any conv e nt i ona l packets to sa i d sourc e 

1 6 router, and funct i on i ng to decrypt any i ncom i ng A l t e rWAN pack e ts arr i v i ng from sa i d 

1 7 souroo router us i ng the tho same encrypt i on a l gor i thms and on e or more 

1 8 predotorm i nod keys wh i ch woro usod to e ncrypt th e packets at tho l ocat i on from 

1 9 wh i ch they woro sont; 

20 a source router hav i ng an i nput coup l ed to sa i d second port of sa i d f i r e wa ll 

2 1 c i rcu i t o i thor d i rect l y or by a l oca l aroa n e twork connect i on, and hav i ng a chann el 

22 serv i ce un i t hav i ng an output coup l od to sa i d ded i cat e d data path, sa i d chann el 

23 s e rv i c e unit funct i on i ng to convert dig i ta l data packets roco i vod from sa i d f i rewa ll 

24 c i rcu i t i nto s i gna l s su i tab l e for transm i ss i on ovor whatever typo of transm i ss i on 

25 med i um i s so l octod for sa i d dod i catod data path, and for convert i ng s i gna l s r e ce i ved 

26 from sa i d dod i catod data path i nto data packets, sa i d souroo router for transm i tt i ng 

27 both A l terWAN and non A l torWAN packets ovor sa i d dod i catod data path to sa i d 

28 spec i a ll y se le cted f i rst part i c i pat i ng I SX/ I SP prov i dor whore A l torWAN packets w ill bo 

29 routed v i a sa i d pr i vate tunno l and sp e c i a ll y s el etod I SX/ I SP prov i ders to tho i r 

30 dest i nat i on and non A l terWAN packets w ill bo routed a l ong paths on tho internet 

3 1 other than sa i d pr i vate tunne l . 
32 

1 4. (Cancelled) A method of des i gn i ng and i mp l ement i ng a w i do aroa network us i ng 

2 tho i ntornot as a backbone, compr i s i ng tho steps: 
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3 1) co l oot i ng source and dest i nat i on s i tes that have dov i oos that nood to bo 

4 conn e ct e d by a w i d e aroa network; 

5 2) e xam i n i ng th e I SX/ I SP i nternet serv i ce prov i ders that ex i st betw e en sa i d 

6 source and d e st i nat i on c i tes and so l oot i ng two or mor e of such I SX/ I SP prov i ders 

7 through wh i ch data pass i ng between sa i d source and dest i nat i on s i tes w ill bo routed, 

8 sa i d se l ect i on bo i ng based upon how many hops th e rout e rs at those s i tes w ill cause 

9 packets trave lli ng betw ee n sa i d source and dest i nat i on s i tes to take and wh e th e r the 

I 0 average ava il ab le bandw i dth of th e data paths a l ong wh i ch the packets trave lli ng 

I I between sa i d source and dest i nat i on s i tos w ill trave l i s substant i a ll y gr e at e r than th e 
1 2 worst case bandw i dth consumpt i on of traff i c between sa i d source and d e st i nat i on 

1 3 s i tos; 

1 4 3) coup li ng a source firewa ll to the dev i ces at sa i d source s i te and 

1 5 configur i ng sa i d firewa ll to e xam i ne the d e st i nat i on addresses of packets rece i ved 

1 6 from sa i d dev i ces at sa i d source s i te and encapsu l ate each packet addr e ssed to any 

1 7 d e v i ce at sa i d dest i nation s i te i n an i ntern e t protoco l packet, hereafter referred to as 

1 8 an A l t e rWAN packet, sa i d A l torWAN packet hav i ng as i ts d e st i nat i on address the 

1 9 address of on untrusted port of a dest i nat i on firewa ll at sa i d dest i nat i on s i te and 

20 hav i ng the or i g i na l I P packet as i ts pay l oad, sa i d source f i rewa ll bo i ng configured to 

21 e ncrypt th e pay l oad port i ons of a ll sa i d A l t e rWAN pack e ts us i ng a pr e d e t e rm i n e d 

22 encrypt i on a l gor i thm and one or more encrypt i on koys but not to encapsu l ate or 

23 encrypt tho pay l oad port i ons of any packets rooo i vod from sa i d d e v i c e s at sa i d 

24 sourc e s i t e wh i ch are not addr e ssed to any dev i ce at sa i d dest i nat i on s i te, and 

25 configur i ng sa i d source f i rowa ll to recogn i ze any i ncom i ng A l torWAN packets wh i ch 

26 have as the i r destinat i on addresses the I P address of tho untrusted s i de of sa i d 

27 sourc e f i r e wa ll and to str i p off tho A l torWAN paokot headers and d e crypt th e pay l oad 

28 port i on of each sa i d A l torWAN packet to recover tho or i g i na l I P pack e t transm i tt e d 

29 from sa i d dest i nat i on s i te us i ng tho same encrypt i on a l gor i thm and th e sam e 

30 encrypt i on key or koys used to onorypt tho pay l oad port i ons of sa i d A l terWAN 

31 pack e ts at sa i d dest i nat i on s i to and for outputt i ng sa i d recovered tho or i g i na l I P 

32 pack e t to sa i d dev i ces at sa i d sourc e s i t e , sa i d source f i rowa ll hav i ng an untrusted 

33 pertr 

34 A) coup li ng a source router to rece i ve sa i d encrypted and non encrypted 

3 5 packets from sa i d untrusted port of sa i d source f i rowa ll and to conv e rt them i n a 

36 channo l service un i t to s i gna l s su i tab l e for transm i ss i on ovor a f i rst ded i cated l oca l 

37 l oop connect i on; 
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38 6) contract i ng to e stab li sh sa i d f i rst dod i oatod l oca l l oop connect i on between 

39 th e output of sa i d source router at wh i ch sa i d s i gna l s appear and a f i rst part i c i pat i ng 

40 I SX/ I SP prov i der i n tho group of I SX/ I SP prov i ders so l ootod i n stop 2; 

41 6) prov i d i ng a dest i nat i on router at sa i d dest i nat i on s i to hav i ng a chann el 

42 serv i ce un i t wh i ch funct i ons to rece i ve from a second ded i cated l oca l l oop connect i on 

43 downstream s i gna l s encod i ng both encrypted A l torWAN packet and convent i ona l I P 

44 packets and convert i ng sa i d s i gna l s back i nto the or i g i na l d i g i ta l packet form and 

45 outputt i ng th e r e cov e r e d downstream packets at a firewa ll port, and sa i d dest i nat i on 

46 router conf i gured to rece i ve upstream A l torWAN and conv e nt i ona l packets and 

47 convert them i nto s i gna l s su i tab l e for transm i ss i on on sa i d second ded i cated data 

48 path coup li ng sa i d d e st i nat i on router to an ondpo i nt part i c i pat i ng I SX/ I SP prov i der i n 

49 th e group of I SX/ I SP prov i d e rs se l ected i n step 2 and transm i tt i ng sa i d s i gnals on 

50 sa i d second dod i oatod l oca l l oop connect i on; 

51 7) contracting to prov i de a second ded i cated l oca l l oop conn e ct i on 

52 connect i ng th e i nput of sa i d d e st i nat i on router to sa i d e ndpo i nt part i c i pat i ng I SX/ I SP 

53 prov i der, sa i d second ded i cated l oca l l oop connect i on hav i ng suff i c i ent l y h i gh 

54 bandw i dth to hand l o the worst case traff i c vo l um e ; 

55 8) prov i d i ng a dest i nat i on f i rewa ll hav i ng an untrustod port hav i ng an I P 

56 address coup l ed to sa i d fir e wa ll port of sa i d d e st i nation rout e r to r e ce i ve sa i d 

57 r e covered d i g i ta l packets, and conf i gur i ng sa i d dest i nat i on firewa ll to recogn i ze as 

58 A l torWAN packets i ncom i ng recov e red packets hav i ng as the i r dest i nat i on address 

59 th e I P address of sa i d dest i nat i on firewa ll untrustod i nput port and to str i p off tho 

60 A l torWAN packet header and decrypt tho pay l oad port i on of sa i d A l t e rWAN paokot 

61 us i ng the same encrypt i on a l gor i thm and encrypt i on k e y or k e ys that wore used to 

62 e ncrypt the packet at sa i d sourco firewa ll , and conf i gur i ng sa i d dest i nat i on f i rowo ll to 

63 output tho decrypted packets at an output coup l ed to dev i ces at sa i d dest i nation 

64 s i t e , and conf i gur i ng sa i d dest i nat i on firowa ll to oxam i no tho dest i nat i on addresses of 

65 upstream I P packets roco i vod from sa i d dov i cos at sa i d dest i nat i on s i to and 

66 e ncapsu l ate oach upstream I P packet addressed to any d e v i ce at said sourco s i to i n 

67 another I P packet, horoaftor referred to as an A l torWAN packet, sa i d A l torWAN 

68 paokot hav i ng as i ts dest i nat i on address th e I P address of an untrustod port of sa i d 

69 source f i rewa ll at sa i d source s i to and hav i ng the or i g i na l I P packet as i ts payload, 

70 sa i d dest i nat i on firowa l l be i ng conf i gured to onorypt tho pay l oad port i ons of a ll sa i d 

71 A l torWAN packets us i ng a prodotorminod e ncryption a l gor i thm and ono or more 

72 encrypt i on koys but not to oncapsu l ato or encrypt tho pay l oad port i ons of any I P 
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73 paokots rooe i vod from sa i d dov i coo at sa i d doot i not i on s i te wh i ch aro not addressed 

74 to any d e v i oo at sa i d sourc e s i to (horoaft e r roforrod to as oonvont i ona l pack e ts), and 

75 sa i d dest i nat i on f i r e wa ll oonf i gurod to transmit sa i d onoryptod A l torWAN packets and 

76 sa i d oonvont i ona l packets to sa i d dest i nat i on router v i a sa i d untrusted port. 

1 5. (Cancelled) A w i de area network us i ng th e i nternet as a backbone, compr i s i ng: 

2 a f i rst ded i cated li n e coup le d to a f i rst part i c i pat i ng I SX/ I SP prov i der of 

3 i nt e rnet acc e ss; 

4 a source router hav i ng a channe l serv i ce un i t hav i ng an output coup le d to 

5 sa i d f i rst ded i cated li no; 

6 a sourc e f i r e wa ll c i rcu i t hav i ng a f i rst port for coup li ng d i rect l y or through a 

7 l oca l area network to a f i rst dev i ce for wh i ch commun i cat i on ovor said w i de area 

8 network (hereafter WAN) i s des i red, and hav i ng a WAN i nt e rfac e coup l ed to sa i d 

9 source router d i rect l y or through a l oca l ar e a n e twork, sa i d source f i rewa l l funct i on i ng 

I 0 to encrypt the pay l oads of downstream WAN packets be i ng transm i tted v i a the WAN 

I I i nterface to sa i d source router us i ng a f i rst encrypt i on m e thod hav i ng a f i rst s e t of 

1 2 us e r def i nab l e keys wh i ch may bo on l y one key, and for decrypt i ng the pay l oads of 

1 3 any i ncom i ng upstr e am WAN paokots arr i v i ng from sa i d first part i c i pat i ng I SX/ I SP 

1 4 us i ng a second encrypt i on method wh i ch i s d i fferent than sa i d f i rst encrypt i on m e thod 

1 5 and a second sot of usor def i nab l e keys which aro d i fferent than tho f i rst set of us e r 

1 6 def i nab l e keys wore us e d to e ncrypt th e downstr e am WAN pack e ts; 

1 7 one or more routers of oth e r part i c i pat i ng I SX/ I SP prov i d e rs of i nt e rn e t 

1 8 serv i ces i nc l uding a rout e r at an e ndpo i nt part i c i pat i ng I SX/ I SP prov i der, sa i d rout e rs 

1 9 funct i on i ng to i mp le ment a prodotorm i nod pr i vate tunn el data path coup li ng a router 

20 of sa i d f i rst I SX/ I SP to a router of sa i d endpo i nt part i c i pat i ng I SX/ I SP prov i der 

21 through sa i d rout e rs of sa i d part i c i pat i ng I SX/ I SP prov i d e rs; 

22 a dest i nat i on router i nc l ud i ng a channe l sorv i co un i t coup l od to or part of sa i d 

23 d e st i nat i on router, sa i d dest i nat i on router coup l od through sa i d channe l serv i ce un i t 

24 and a second ded i cated li no to said router of sa i d endpo i nt I SX/ I SP prov i der; 

25 a destinat i on f i rewa ll c i rcu i t hav i ng a WAN i nterface coup l ed to sa i d 

26 dest i nat i on router d i rect l y or through a loca l ar e a n e twork and hav i ng a second port 

27 for coup li ng d i rect l y or through a l oca l area network to a d e v i ce for wh i ch 

28 commun i cat i on across said w i de area network i s dos i rod, sa i d d e st i nat i on f i rewa ll 

29 funct i on i ng to encrypt tho payloads of upstream WAN packets be i ng transm i tted 

30 through sa i d WAN i nt e rface to sa i d dest i nat i on router for transm i ss i on to sa i d source 
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31 routor v i a sa i d pr i vat e tunn el us i ng tho samo encrypt i on method and us e r dof i nab l o 

32 koy or keys us e d by sa i d souroo firewa ll to doorypt upstream WAN paokots, and for 

33 decrypt i ng any i ncom i ng downstream WAN paokots from sa i d source routor arr i v i ng 

34 from sa i d dest i nat i on rout e r v i a tho router of sa i d ondpo i nt part i c i pat i ng I SX/ I SP 

35 prov i d e r us i ng th e samo encrypt i on m e thod and encrypt i on koy or k e ys used by sa i d 

36 source firewa ll to encrypt downstream WAN packets and transm i tt i ng tho decrypt e d 

37 packets to sa i d second dev i ce. 

1 6. (Currently Amended) A private, secure wide area network using the internet as a 

2 backbone between a source site and a destination site us i ng tho i nternet as a backbone , 

3 comprising: 

4 a first dedicated l oca l l oop conn e ct i on prov i d i ng a signal path to a router of a 

5 source ISX/ISP provider of internet access; 

6 a source router located at a source site and having a channel service unit having 

7 an output coupled to said first dedicated signal path l oca l l oop connect i on a nd having a 

8 routing table which has been configured to recognize AlterWAN packets and always route 

9 them over said first dedicated signal path to said source ISX/ISP provider, said AlterWAN 

I 0 packets being packets having as their destination address one of one or more 

I I predetermined Internet Protocol addresses assigned to an AlterWAN private tunnel, and 
1 2 AlterWAN private tunnel being a data path through the internet which uses only high 

1 3 bandwidth, low latency data paths between predetermined ISX/ISP provider sites which 

1 4 have been ore-tested to ensure that adequate bandwidth and low latency exists for 

1 5 AlterWAN packets and that AlterWAN packets are always routed at said predetermined 

1 6 ISX/ISP provider site into said AlterWAN private tunnel : 

1 7 a source firewall circuit located at a source site and having a first port for coupling 

1 8 directly or through a local area network to one or more computers or other devices at said 

1 9 source site for which communication over said private, secure wide area network 

20 (hereafter WAN) is desired, and having a WAN interface coupled to said source router 

21 directly or through a local area network, said source firewall functioning to encapsulate 

22 any Internet Protocol packets hereafter IP packets transmitted from said first computer or 

23 other device which have a destination Internet Protocol address (hereafter IP address) 

24 which is one of a set of "predetermined IP addresses", said "predetermined IP addresses" 

25 being IP addresses of computers or other devices at a destination site which are 

26 assigned to said private tunnel , said encapsulation being performed on m te the payload 
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27 sections of IP packets having as their destination address one of said "predetermined IP 

28 addresses", hereafter referred to as AlterWAN packets th e I P addrooo of a f i r e wa ll at sa i d 

29 dest i nat i on s i to and for encrypting said payload sections of said AlterWAN packets using 

30 any encryption method known to a destination firewall at a destination site hav i ng a kov. 

3 1 and transmitting said AlterWAN packets to said source router, whoro I P packets hav i ng as 

32 tho i r dest i nat i on addr e ss th e I P addr e ss of a computer or other dov i co at ei th e r sa i d 

33 sourc e s i to or sa i d dest i nat i on s i to and hav i ng an e ncrypt e d I P packet transm i tted from a 

34 comput e r or other dev i ce at sa i d source s i to or sa i d d e st i nat i on s i to as a pay l oad b ei ng 
3 5 d e f i n e d and hereafter roforrod to as A l t e rWAN packets, but said source firewall for not 

36 encapsulating i nto A l torWAN packets any IP packets transmitted by said first computer or 

37 other device which do not have as their destination address one of said "predetermined 

38 IP addresses" an I P address wh i ch i s ono of sa i d I P addresses of comput e rs or oth e r 

39 dev i ces at sa i d destinat i on s i to, and for receiving incoming IP packets from various 

40 sources including computers and devices at said destination site via said source router 

41 and for recognizing AlterWAN packets among these IP packets on the basis that an 

42 AlterWAN packet has one of said "predetermined IP addresses" as its destination 

43 address, and decrypting the payloads of said AlterWAN packets us i ng the same 

44 encrypt i on m e thod and koy or koys that wor e us e d to encrypt the A l torWAN packets to 

45 recover said IP packets that were encapsulated in said AlterWAN packets and 

46 transmitting at least said recovered IP packets to said one or more computers or devices 

47 at said source site to which said recovered IP packets are addressed : 

48 one or more internet data paths coupled to routers of said predetermined other 

49 part i c i pat i ng ISX/ISP providers of internet services , said routers having their routing tables 

50 configured to recognize said AlterWAN packets bv their destination addresses and to 

51 cause said routers to route AlterWAN packets into said AlterWAN private tunnel data 

52 path, each b e s i des sa i d source I SX/ I SP prov i der i nc l ud i ng a rout e r at an ondpo i nt 

53 part i c i pat i ng I SX/ I SP prov i der, sa i d routers of sa i d sourc e and e ndpo i nt I SX/ I SP prov i ders 

54 and sa i d other part i c i pat i ng I SX/ I SP prov i ders function i ng to i mplement a predeterm i ned 

55 pr i vate tunne l data path for sa i d A l torWAN packets coupl i ng a router of sa i d source 

56 I SX/ I SP prov i der to a router of sa i d ondpo i nt part i c i pating I SX/ I SP prov i der through sa i d 

57 rout e rs of sa i d other part i c i pating I SX/ I SP prov i ders, sa i d sourc e and endpo i nt I SX/ I SP 

58 prov i ders and said predetermined ethef ISX/ISP prov i ders bo i ng providers provider being 
5 9 a provider of internet services who has have contracted to provide routing of AlterWAN 

60 packets into said AlterWAN private tunnel data path, said AlterWAN private tunnel data 

6 1 path being at least one of said internet data paths which has and who havo been pre- 


PRC-001 JP Amd CI 11/03 


9 


PATENT 


6 2 tested pr e t e st e d to verify that said data path does thoy do in fact provides a low hop 

6 3 count data path having port i on of a data path between a sa i d oouroe s i t e and a sa i d 

64 dest i nat i on s i to for sa i d A l torWAN paok e ts with- an average available bandwidth along 

65 each said- portion of said data path travelled by said AlterWAN packets which eaeh- 

66 I SX/ I SP prov i der prov i des wh i ch substant i a ll y exceeds the worst case bandwidth 

67 consumption of AlterWAN packet traffic between said source site and said destination 

68 site; 

69 a destination router including a channel service unit coupled to or part of said 

70 destination router and having a trusted side output , said destination router coupled 

71 through said channel service unit and a second dedicated data path l oca l l oop 

7 2 Gonnoot i on to said- ajouter of a_said participating e ndpo i nt I SX/I S P provide r, said 

73 destination router having its routing tables configured to recognize said AlterWAN packets 

74 and route them to said trusted side output: 

75 a destination firewall circuit having a WAN interface coupled to said trusted side 

76 output of said destination router directly or through a local area network and having a 

77 second port for coupling directly or through a local area network to a one or more 

78 computers or devices for which communication across said private AlterWAN data pathr 

79 soouro w i d e area notwork is desired, said destination firewall functioning to encapsulate 

80 into the payload sections of AlterWAN packets IP packets transmitted from said one or 

8 1 more computers or devices at said destination site and having as their destination 

82 addresses one of said "predetermined IP addresses" which is an IP address of said one 

83 or more computers or devices at said source site, and functioning to encrypt the payloads 

84 of said AlterWAN packets and transmit said AlterWAN packets to said destination router, 

85 but for not encapsulating into AlterWAN packets any IP packets transmitted from said one 

86 or more computers or devices at said destination site which do not have as their 

87 destination address one of said "predetermined IP addresses" an I P address of sa i d ono 

88 or moro oomputors or dov i oos at sa i d souroo s i to, and for receiving IP packets from 

89 various sources including said one or more computers or devices at said source site via 

90 said destination router, and functioning to recognize AlterWAN packets among said 

91 received IP packets and decrypt the payload sections of said AlterWAN packets to 

92 recover the original IP packets us i ng the samo encrypt i on protoco l us e d by sa i d source 

93 f i rewa ll to oncrypt sa i d pay l oad seotions of sa i d A l torWAN paokots and tho sam e key or 

94 keys usod by sa i d source f i rewa ll a nd transmitting at least the decrypted IP packets 

95 recovered from AlterWAN packet to said one or more computers or devices at said 

96 destination site. 
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1 7. (Currently Amended) A process for sending AlterWAN data packets securely between 

2 a computer at a source site and a computer at a destination site so as to implement a private 

3 Wide Area Network (hereafter AlterWAN) between said source and destination sites of a 

4 custome r, said AlterWAN using the internet as a backbone but which is private and which only 

5 said customer can use wh i lo s i mu l taneous l y l aunch i ng non A l terWAN paokotc i nto a norma l 

6 i ntornot traff i c rout i ng data path, comprising the steps: 

7 receiving at a source firewall incoming Internet Protocol packets (hereafter IP 

8 packets) from a computers- at a source site of a customer, some of said IP packets having 

9 as their destination addresses an Internet Protocol address (hereafter IP address) which 
10 is one of one or more IP addresses of a comput e r one or more computers or other 

1 1 computing devices a t a destination site of said customer; 


at said source firewall, comparing the destination address in each said received 
IP packet to an IP address of a computer at said destination site of said customer, and if 
an IP packet has as its destination address the IP address of a computer or other 
computing device at said destination site (hereafter referred to as an AlterWAN inner 
packet) , concluding said IP packet is an AlterWAN inner packet pay l oad which needs to 
be transmitted v i a a v i rtua l pr i vat e n e twork ovor tho i ntornot to said computer or other 
computing device at said destination site via a high bandwidth, low latency, low hop 
count data path using said internet as a backbone and connecting said source site to 
said destination site and having an average available bandwidth which exceeds the worst 
case bandwidth consumption of packets traveling between said source site and said 
destination site ( hereafter referred as the AlterWAN data pathV but if said destination 
address of said received IP packet is not an IP address of a computer or other computing 
device at said destination site, concluding said IP packet is BOfrtan AlterWAN inner 
pay l oad packet and needs to be routed like as- any other IP packet would be routed; 

if a said received IP packet is an AlterWAN inner pav l oad packet, encapsulating 
said AlterWAN inner pay l oad packet into the payload section of a second em- IP packet 
having as its destination address the IP address of an untrusted side of a firewall at said 
toe destination site ef*4 of said AlterWAN data path v i rtua l pr i vat e n e twork (hereafter 
referred to as composite AlterWAN packet) and encrypting at said source firewall at least 
theajDayload portion of said AlterWAN inner packet using any encryption algorithm which 
can be decrypted by said firewall at said destination site hav i ng a koy wh i oh same 
e ncrypt i on a l gor i thm and koy can bo us e d by a f i rewa ll at sa i d d e st i nat i on s i to to rooovor 
sa i d A l torWAN pay l oad paokot, and forwarding said composite A lterWAN packet to a 
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source router; 

if a- said received IP packet is not an AlterWAN inner pay l oad packet, forwarding 
said received IP packet which i s not an A l torWAN pay l oad packet (hereafter referred to as 
a non-AlterWAN packet) to said source router without encapsulating said non-AlterWAN 
packet into sh* a composite A lterWAN packet; 

at said source router, converting both said composite A lterWAN packets and said 
non-AlterWAN packets into signals suitable for transmission on a dedicated signal path 
l oca l l oop oonnoot i on coupling said source router to a spec i a ll y s ele ct e d predetermined 
source participating ISX/ISP provider of internet connectivity and routing services, and 
transmitting said signals to said sp e c i a ll y selected predetermined source participating 
ISX/ISP provider, said predetermined spec i a ll y so l octod source participating ISX/ISP 
provider being selected because said provider has available a high bandwidth, low 
latency, low hop count data path which is part of said AlterWAN data path and also has 
agreed to route said chomposite AlterWAN packets into said AlterWAN data path and has 
routers wich either already contain routing statements which will route said AlterWAN 
packets into said AlterWAN data path or which have been configured to contain such a 
routing statement or statements, ei th e r b e cause th ei r rout i ng tab le s ar e such that 
A l t e rWAN packets wi ll natura ll y bo routed a l ong h i gh bandw i dth, l ow hop count data 
paths to noxt part i c i pat i ng I SX/ I SP prov i der i n sa i d v i rtua l pr i vate network or booauso the 
rout i ng tab l es of tho routor of sa i d spec i a ll y se l ected sourc e part i c i pat i ng I SX/ I SP prov i der 
have boon a l torod to i nsure that A l torWAN packets g e t routed a l ong h i gh bandw i dth, l ow 
hop count data paths to tho noxt I SX/ I SP prov i der a l ong sa i d v i rtua l pr i vat e n e twork and 
where i n sa i d couroo part i c i pat i ng I SX/ I SP prov i der and a ll othor part i c i pat i ng I SX/ I SP 
prov i d e rs whoso routers route A l torWAN packets havo contract e d to prov i de a data path 
for sa i d A l torWAN packets w i th an overage ava il ab le bandw i dth wh i ch exc ee ds th e worst 
cas e bandw i dth conoumpt i on of A l torWAN pack e ts trav eli ng betwoon sa i d sourc e s i te and 
sa i d dest i nat i on s i te of sa i d customer. 


1 8. (Currently amended) An apparatus comprising: 

2 a dedicated data path for coupling signals to a specially selected first participating 

3 ISX/ISP provider of internet access; 

4 a first firewall circuit having a first port for coupling directly or through a local area 

5 network to one or more computing d evices for which is desired communication over a 

6 private wide area network between a customer's source site and destination site using 

7 the internet as a backbone i s dos i rod, and having a second port, said firewall functioning 
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8 to use the destination addresses in the headers of each packet received from said one or 

9 more computing devices at said source site to distinguish between conventional packets 

I 0 and AlterWAN payload packets, where AlterWAN payload packets are packets having as 

I I their destination addresses an address of a computing device address e d to dev i ces at 
1 2 said destination site or said source site, and wherein a computing device oomput e r at 

1 3 said destination site is coupled to a computer comput i ng dovico at said source site via a 

1 4 second firewall circuit and a n AlterWAN data path comprising of a virtual private network 

1 5 tunnel implemented along a high bandwidth, low latency, low hop count data paths 

1 6 through a public wide area network such as the internet terminating at said source site at 

1 7 an untrusted side of said first firewall circuit and terminating at said destination site at an 

1 8 untrusted side of said second firewall circuit, and wherein conventional packets are 

1 9 packets which are not addressed to any computing device d e v i c e s at said destination 

20 site,, said first firewall circuit functioning to encapsulate said AlterWAN payload packets in 

2 1 the payload section of AlterWAN packets which have as their destination address the 

2 2 address of said untrusted side of are addrossod to s aid second firewall circuit at said 

23 destination end of said virtual private network tunnel, aft4 said first firewall circuit f urther 

24 functioning to encrypt the payloads (AlterWAN payload packet) of AlterWAN packets 

2 5 us i ng ono or mor e prodotorm i nod koys and an e ncryption a l gor i thm, and distinguishing 

26 sa i d first f i rewa ll o i rouit further funct i on i ng to d i st i ngu i sh between incoming AlterWAN 

27 packets from said destination site and conventional packets by comparing the destination 

28 addresses thereof to the address of said untrusted side of said first firewall circuit and 

29 concluding that any incoming packets addressed to said first firewall circuit are AlterWAN 

30 packet and all packets addressed to one or more computing devices comput e rs at said 

3 1 source site coupled to said first firewall circuit are conventional packets, and further 

32 functioning to decrypt the payload sections of any incoming AlterWAN packets us i ng tho 

33 samo encrypt i on a l gor i thm and ono or moro prodotorm i nod keys wh i ch woro us e d to 

34 onorypt tho AltorWAN packets so as to recover the encapsulated AlterWAN payload 

3 5 packet; 

36 a source router having an input coupled to said second port of said first firewall 

37 circuit either directly or by a local area network connection, and having a channel service 

38 unit having an output coupled to said dedicated data path, said router and channel 

39 service unit functioning to receive said AlterWAN packets and said conventional packets 

40 from said first firewall circuit and convert said packets into signals suitable for transmission 

41 over whatever type of transmission medium is selected for said dedicated data path, and 

42 for converting signals received from said dedicated data path into data packets, said 
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43 source router for transmitting both AlterWAN packets and conventional packets received 

44 from said first firewall over said dedicated data path to said specially selected first 

45 participating ISX/ISP provider where said AlterWAN packets will be routed v i a sa i d v i rtua l 

46 pr i vato network tunne l and spec i a ll y so l ootod part i c i pat i ng I SX/ I SP prov i ders via said 

47 AlterWAN data path t o said second firewall and non A l torWAN paokets w ill b e rout e d 

48 a l ong paths on tho i ntornot oth e r than sa i d v i rtua l privato network tunn el and wherein 

49 said AlterWAN data path has f i rst part i c i pat i ng I SX/ I SP prov i d e r and a ll sa i d oth e r 

50 I SX/ I SP prov i dorc ar e prov i ders who havo contracted to and do i n fact prov i de data paths 

5 1 for A l torWAN packets wh i ch oomb i no to form a l ow hop count data path w i th an average 

52 available bandwidth which substantially exceeds the worst case bandwidth consumption 

53 of AlterWAN packets traveling between said source site and said destination site. 

1 9. (Currently amended) A method of designing and implementing a private wide area 

2 network using the internet as a backbone carrying data packets between a source site to a 

3 destination site hereafter referred to as an AlterWAN data path) , comprising the steps: 

4 1) selecting source and destination sites that have computers or other devices 

5 (hereafter referred to simply as computers) that need to be connected by a wide area 

6 network; 

7 2) examining available ISX/ISP internet service providers that can route 

8 A l terWAN packets between said source and destination sites and selecting two or more 

9 of such ISX/ISP providers as participating ISX/ISP providers including at least a source 

1 0 ISX/ISP provider and a destination ISX/ISP provider through which A l terWAN packet 

1 1 data passing between said source and destination sites will be routed, said selection of 

1 2 said participating ISX/ISP providers being made upon the availability to said participating 

1 3 ISX/ISP providers of one or more high bandwidth, low latency data paths which will form 

1 4 part of said AlterWAN data path, said participating ISX/ISP providers agreeing to route 

1 5 packets travelling between said source site and said destination site (hereafter AlterWAN 

1 6 packets) into said AlterWAN data path and agreeing to allow route statements to be 

1 7 added to their routers to cause AlterWAN packets to always be routed into said AlterWAN 

1 8 data path, s o as to m i n i m i ze tho number of hops on tho i nt e rnet th e routers at 

1 9 part i c i pat i ng I SX/ I SP prov i ders w ill cauco A l torWAN packets to tako wh il o trave li ng 

20 between sa i d source and dest i nat i on s i tes and so as to said participating ISX/ISP 

21 providers also agreeing to manage their portions of said AlterWAN data path so as to 

22 guarantee that the average available bandwidth of their portion of said AlterWAN data 

23 fiath tho data paths a l ong wh i ch sa i d A l torWAN packets trave li ng b e tw ee n computers at 
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24 sa i d sourc e and d e st i nat i on s i tos w ill trave l is substantially greater than the worst case 

25 bandwidth consumption of AlterWAN packet t raffic between said source and destination 

26 sites; 

27 3) adding route statements to routers of said participating ISX/ISP providers 

28 which will to cause AlterWAN packets to always be routed into said AlterWAN data path 

29 and p retesting said the- ISX/ISP providers selected in step 2 by testing to verify the data 

30 path that afi-AlterWAN packets travel will be a portion of said AlterWAN data path and 

31 that performance is adequate: tako through tho i nternet to ver i fy that what tho 

32 part i c i pat i ng I SX/ I SP prov i ders prom i sed to de li ver w ill actua ll y bo de li vered; 

33 4 ) contract i ng w i th sa i d part i c i pat i ng I SX/ I SP prov i d e rs to prov i de rout i ng of 

34 A l terWAN packets so as to m i n i m i ze tho numb e r of hops on tho i ntern e t sa i d A l t e rWAN 

35 packets need to tak e i n trave li ng between sa i d source and dest i nat i on s i tes and so as to 

36 guarantee that tho av e rag e ava il ab l e bandw i dth a l ong data paths A l t e rWAN pack e ts 

37 must traverse to trav el between sa i d souroo and dest i nat i on s i tos i s substant i a ll y greater 

38 than the worst case bandw i dth consumpt i on of traff i c between souroo and dest i nat i on 

39 s i t e s, and, i f necessary, conf i gur i ng data i n rout i ng tab l es of sa i d part i c i pat i ng ISX/ I SP 

40 prov i ders so as to m i n i m i ze sa i d number of hops and guarant ee sa i d bandw i dth 

41 contracted for when rout i ng A l t e rWAN packets; 

42 4_§) contracting to establish and establishing a first dedicated signal path teeal 

43 l oop connect i on between the output of a source router at which said signals appear and 

44 said source ISX/ISP provider in said toe group of participating ISX/ISP providers selected 

45 in step 2, said first dedicated signal path l oca l l oop oonnoot i on having sufficiently high 

46 bandwidth to handle the worst case traffic volume in AlterWAN packets trav eli ng between 

47 sa i d souroo and dest i nation s i tos; 

48 5_§) contracting to provide a second dedicated signal path l oca l l oop connect i on 

49 connecting the input of a destination router to said destination ISX/ISP provider, said 

50 second dedicated local loop connection having sufficiently high bandwidth to handle the 

5 1 worst case traffic volume in AlterWAN packets trav eli ng between sa i d source and 

52 dest i nat i on s i tos; 

53 6 7) coupling an untrusted port of a source firewall/virtual private network circuit 

54 (hereafter referred to as the source firewall) to a source router and coupling a trusted port 

55 of said source firewall to said- one or more computing device or devices at said source site 

56 and configuring said source firewall to examine the destination addresses of a first 

57 internet Protocol packets- (hereafter IP packets) received from one of s aid- one or more 

58 computing devices at said source site and encapsulating encapsu l ate each first IP packet 
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59 having a s its destination address and address w hich is a tfce Internet Protocol address 

60 (hereafter IP address) of any computing device at said destination site as a payload 

61 portion in a second IP packet, said second IP packet hereafter referred to as an 

62 AlterWAN packet, said AlterWAN packet having as its destination address the IP address 

63 of an untrusted port of a destination firewall/virtual private network circuit (hereafter 

64 referred to as the destination firewall) at said destination site and having an encrypted 
6 5 version of at least the pavload section of said first the or i g i na l I P packet as its payload A 

6 6 said source firewall being configured to recognize non AlterWAN packets and with 

67 portions of said AlterWAN packet other than said payload section being referred to herein 

68 as an AlterWAN packet heade r, sa i d source f i r e wa ll a l so bo i ng conf i gured to encrypt tho 

69 pay l oad port i ons of a ll sa i d A l t e rWAN packets us i ng a predeterm i ned e ncrypt i on a l gor i thm 

70 and ono or moro encrypt i on koys but not to encapsulate or encrypt the payload portions 

7 1 of any non AlterWAN p ackets received from one or mor of said devices at said source site 

72 which do not have as their destination address an toe IP address of any device at said 

73 destination site (horoaftor r e f e rred to as non A l torWAN paokots), and configuring said 

74 source firewall to screen incoming IP packets from said destination firewall so as to 

75 recognize any incoming AlterWAN packets which have as their destination addresses the 

76 IP address of the untrusted port of said source firewall and to strip off said toe AlterWAN 

77 packet headers and decrypt a tte payload portion of each said incoming AlterWAN 

78 packet to recover the original IP packet transmitted from said destination firewall us i ng th e 

79 same encrypt i on a l gor i thm and the same encrypt i on koy or k e ys used to oncrypt tho 

80 pay l oad port i ons of sa i d A l torWAN paokots whon thoy w e r e transm i tted from sa i d 

81 destinat i on f i rewa ll s o as to recover the original IP packet transmitted to said destination 

82 firewall by a computer at said destination site, and for outputting said recovered original 

83 IP packet to said device or devices at said source site having the IP address which is the 

84 destination address of said original IP packet; 

85 7» coupling a source router to receive said onoryptod AlterWAN packets and 

86 non onoryptod non-AlterWAN packets from said untrust e d port of sa i d source firewall and 

87 to convert said AlterWAN and non-AlterWAN packets in a channel service unit to signals 

88 suitable for transmission over said first dedicated signal path l oca l l oop connect i on to said 

89 source ISX/ISP provider; 

90 89) providing a destination router at said destination site having a firewall port 

91 coupled to an ©aid- untrusted port of said destination firewall and having a channel 

92 service unit coupled to said destination ISX/ISP provider via said second dedicated signal 

93 nath l oca l l oop oonnoot i on and configuring said destination router wh i ch i s oonf i gurod to 
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94 receive from said second dedicated signal path l oca l l oop oonn e ot i on downstream signals 

95 encoding both encrypted AlterWAN packets and conventional non AlterWAN IP packets 

96 and convert conv e rt i ng said signals back into the original digital IP packet forrn^ and 

97 configuring said destination router to output said recovered downstream IP packets at 

98 said firewall port coupled to said untrusted port of said destination firewall, and 

99 configuring said destination router conf i gured to receive upstream AlterWAN packets and 
1 00 conventional non AlterWAN packets and convert both types of said packets into signals 

1 01 suitable for transmission on said second dedicated signal path l oca l l oop oonn e ot i on 

1 02 coupling said destination router to said participating destination ISX/ISP provider in said 

1 03 toe group of participating ISX/ISP providers selected in step 2, and configuring said 

1 04 router to transmit transm i tt i ng said signals on said second dedicated signal path leeal 

1 05 l oop oonnoot i on; 

1 06 9+0) providing said a- destination firewall having an untrusted port coupled to 

1 07 said firewall port of said destination router so as to receive said recovered digital IP 

1 08 packets, and configuring said destination firewall to recognize as AlterWAN packets 

1 09 incoming recovered IP packets having as their destination address the IP address of said 

1 1 0 destination firewall untrusted port and further configuring said destination firewall 

I 1 1 conf i gured to strip off said tfre- AlterWAN packet header of each said AlterWAN packet 

I I 2 and , as to each AlterWAN packet, decrypt ing a ibe pay load portion of e ach said 

1 1 3 AlterWAN packet us i ng tho samo encrypt i on a l gor i thm and encrypt i on koy or koys that 

I 1 4 woro usod to onorypt the A l torWAN packot at sa i d oouroo f i rowa ll so as to recover said 

I I 5 first tho or i g i na l IP packet which encapsulated in said eaefr AlterWAN packet, and 

1 1 6 configuring said destination firewall to output said first IP packet recovered from said 

117 AlterWAN packet by said decryption process tho decrypted or i g i na l and output each said 

1 1 8 first IP packets so recovered at an output coupled to one or more computing a d e v i ce or 

1 1 9 devices at said destination site, and configuring said destination firewall to examine the 

1 20 destination addresses of upstream first IP packets received from said one or more 

1 21 computing a dov i co or devices at said destination site and encapsulate each upstream 

1 22 first IP packet addressed to any computer or other computing d evice at said source site 

123 as a the payload portion of m a second another IP packet, hereafter referred to as an 

1 24 upstream AlterWAN packet (an AlterWAN packet traveling from said destination site 

1 25 toward said source site), each said upstream A lterWAN packet having as its destination 

1 26 address the IP address of said untrusted port of said source firewall at said source site 

1 27 and ajjrst hav i ng tho or i g i nal IP packet as its payload, and further configuring said said 

1 28 destination firewall be i ng conf i gured to encrypt the payload portions of each aH- said 
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1 29 upstream AlterWAN packet s us i ng a pr e determ i ned onoryption a l gor i thm and one or moro 

1 30 onorypt i on keys but not to encapsulate or encrypt the payload portions of any non 

1 3 1 AlterWAN I P packets received from said one or more computing dov i oo or devices at said 

1 32 destination site , said non AlterWAN IP packets being those IP packets which do not have 

133 as their destination addresses an IP address of any device at said source site (her e aft e r 

1 34 r e f e rr e d to as conv e nt i ona l non A l terWAN pack e ts), and configuring said destination 

135 firewall conf i gur e d to transmit said encrypted upstream AlterWAN packets and said 

1 36 conventional non AlterWAN packets to said destination router via said untrusted port. 

1 10. (Currently amended) A private wide area network connecting a customer source site 

2 to a customer destination site and using the internet as a backbone, comprising: 

3 a first dedicated data path coupled to a first participating ISX/ISP provider of 

4 internet access; 

5 a source router having a channel service unit having an output coupled to said 

6 first dedicated data path and configured with route statements that recognize IP packets 

7 addressed to the untrusted side of a destination firewall at said customer destination site 

8 (hereafter outgoing AlterWAN packets) and cause said outgoing AlterWAN packets to be 

9 routed into an AlterWAN data path, wherein said AlterWAN data path is a high 

1 0 bandwidth, low latency data path from said customer source site to said customer 

1 1 destination site and back having an average available bandwidth that exceeds the worst 

1 2 case bandwidth consumption of AlterWAN packet traffic between said source and 

1 3 destination sites : 

1 4 a source firewall c i rcu i t having a first port for coupling directly or through a local 

1 5 area network to one or more devices at a customer source site, and having an untrusted 

1 6 port coupled to said source router directly or through a local area network, said untrusted 

1 7 port of said source firewall having an Internet Protocol address (hereafter IP address), 

1 8 said source firewall functioning to receive Internet Protocol packets (hereafter IP packets) 

1 9 from said one or more devices at said customer source site which are addressed to one 

20 or more devices at a customer destination site (hereafter AlterWAN payload packets) and 

21 other IP packets addressed to other locations on the internet (hereafter conventional IP 

22 packets), and for encapsulating said AlterWAN payload packets as the payload sections 

23 of outooign AlterWAN IP- packets which have as their destination addresses the 

24 addressed to an IP address of an untrusted port of a destination firewall at said customer 

25 destination site (hereafter outgoing AlterWAN packets) and functioning to encrypt the 

26 payloads of said outgoing AlterWAN packets using a f i rst e ncrypt i on method known to a 
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27 dest i nat i on firewa ll and uo i ng a koy or key known to sa i d dest i nat i on f t rowal l and wh i oh 

28 may b e usor def i nab l e, and for receiving incoming IP packets and comparing the 

29 destination addresses of said incoming IP packets to said IP address of said untrusted 

30 port of said source firewall circuit any said incoming IP packet having as its destination 

31 address the IP address of said untrusted port of said source firewall being a incoming 

32 AlterWAN packet, each said incomimo AlterWAN packet encapsulating as its pavload 

33 section a AlterWAN payload packet , and decrypting the payload sections of any 

3 4 incoming4P- AlterWAN packets hav i ng as tho i r dest i nat i on addroos tho I P address of sa i d 

35 untrusted port of sa i d souroo firewa ll o i rou i t (horooftor i ncom i ng A l terWAN packets) us i ng 
3 6 what e v e r encrypt i on method and koy or keys wh i oh wore used to encrypt them so as to 

37 recover the encapsulated AlterWAN payload packet from each incoming AlterWAN 

38 packet, and transmitting each recovered AlterWAN payload packet to a device at said 

39 customer source site to which said AlterWAN payload packet is addressed; 

40 one or more routers of other participating ISX/ISP providers of internet services 

41 including a router at an endpoint participating ISX/ISP provider, said routers of said 

42 ISX/ISP providers functioning to implement said AlterWAN data path as a high 

43 bandwidth, low latency, low hop count data path having an average available bandwidth 

44 that exceeds the worst case bandwidth consumed by incoming and outgoing AlterWAN 

45 packets travelling between said source and destination sites and configured to recognize 

46 said incoming and outgoing AlterWAN packets by their destination addresses and route 

47 them into said AlterWAN data path, i n th e form of a v i rtua l pr i vat e n e twork tunn el through 

48 tho i nternet coup li ng ono or more dovioos at sa i d custom e r sourc e s i t e to on e or mor e 

49 computers at sa i d customer dest i nat i on s i to, sa i d l ow hop count data path hav i ng an 

50 average ava il ab l e bandw i dth wh i oh is substant i a ll y groator than th e worst cas e bandw i dth 

5 1 consumpt i on of A l terWAN pack e ts trave l ing betw ee n sa i d customer sourc e s i t e and sa i d 

52 oustomor d e st i nat i on sito; 

53 a destination router including a channel service unit coupled to or part of said 

54 destination router, said destination router coupled through said channel service unit and 

55 a second dedicated datapath to said router of said endpoint participating ISX/ISP 

5 6 provider and configured to recognize said outgoing AlterWAN packets arriving from said 

57 endpoint participating ISX/ISP provider which have travelled from said source firewall via 

58 said AlterWAN data path and route them to said destination firewall, and configured to 

59 recognize said incoming AlterWAN packets from said destination firewall circuit and route 

60 them to said endpoint participating ISX/ISP provider : 

61 a- said destination firewall circuit having an untrusted port having an IP address to 
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62 which said outgoing AlterWAN packets are addressed, said untrusted port coupled to 

63 said destination router directly or through a local area network and having a second port 

64 for coupling directly or through a local area network to one or more devices at said 

65 customer destination site, said destination firewall circuit configured so as funct i on i ng to 

66 receive IP packets from said one or more devices at said customer destination site which 

67 are addressed to one or more devices at said customer source site (hereafter AlterWAN 

68 payload packets) and functioning to receive other conventional IP packets not addresed 

69 to any of the said devices at said customer source site , and for encapsulating said 

70 AlterWAN payload packets as the payload sections of AlterWAN packets addressed to 

7 1 said IP address of an untrusted port of said source firewall circuit at said customer source 

72 site (hereafter incoming outgo i ng AlterWAN packets) and functioning to encrypt the 

73 payloads of said incoming outgo i ng AlterWAN packets us i ng an encrypt i on method 

74 known to sa i d source f i rewa ll ond a koy or koys known to sa i d source f i r e wa ll and for 

75 receiving incoming AlterWAN IF-packets and comparing the destination addresses of said 

76 incoming AlterWAN iP- packets to said IP address of said untrusted port of said 

77 destination firewall circuit, and decrypting the payload sections of any incoming 

78 AlterWAN IP- packets having as their destination address the IP address of said 

79 untrusted port of said destination firewall circuit (horoaftor i ncom i ng A l torWAN packots) 

80 us i ng whatever onorypt i on mothod and koy or koys wh i ch woro usod to oncrypt sa i d 

8 1 i ncom i ng A l torWAN paokoto so as to recover the encapsulated AlterWAN payload packet 

82 from each incoming AlterWAN packet, and transmitting each recovered AlterWAN payload 

83 packet to the device to which it is addressed at said customer destination site. 

Please add the following new claims: 

1 11. (new) A method of doing business to establish a private bidirectional wide area 

2 network between a source site and a destination site using the internet as a backbone, 

3 comprising the steps: 

4 connecting one or more computing devices at a source site to a firewall and 

5 source router and obtaining a known IP address for each computing device at said 

6 source site; 

7 connecting one or more computing devices at a destination site to a firewall and 

8 destination router and obtaining a known IP address for each computing device at said 

9 destination site; 

1 0 selecting one or more participating ISX/ISP internet service providers which have 

1 1 one or more high bandwidth, low latency, low hop count data paths that can be used as 


PRC-001 JP Amd CI 11/03 


20 


PATENT 


1 2 at least part of a high bandwidth, low latency, low hop count data path for transmission of 

1 3 AlterWAN data packets between said source site and said destination site (hereafter 

1 4 referred to as the AlterWAN data path), and making agreements with said participating 

1 5 ISX/ISP internet service providers to always route AlterWAN packets into said AlterWAN 

1 6 data path such that said AlterWAN data packets will only travel on AlterWAN data path, 

1 7 wherein said AlterWAN packets are defined as packets which contain as a destination 

1 8 address one of said known IP addresses of computing devices at said source site or said 

1 9 destination site, and ensuring that said routing tables of routers of said one or more 

20 participating ISX/ISP internet service providers either already contain routing statements 

2 1 that will cause AlterWAN packets to be routed into said AlterWAN data path or are 

22 modified to contain such route statements; 

23 connecting said source router and said destination router to one of said 

24 participating ISX/ISP internet service providers through dedicated high bandwidth, low 

25 latency data paths. 

1 12. [new] A method comprising: 

2 generating an Internet Protocol data packet (hereafter IP packet) having as its 

3 destination address an Internet Protocol address assigned to a computing device at the 

4 other end of a private, wide area network using the internet as a backbone (hereafter 

5 referred to as an AlterWAN private tunnel); 

6 encrypting a payload portion of said IP packet to generate an encrypted IP 

7 packet; 

8 generating a composite AlterWAN packet by encapsulating said encrypted IP 

9 packet in another IP packet having as its destination address an IP address of an 

1 0 untrusted side of a firewall which is at a destination site which is part of said AlterWAN 

1 1 private tunnel; and 

1 2 routing said composite AlterWAN packet using a source router whose routing 

1 3 table has been configured to include a routing statement which recognizes said 

1 4 destination address of said composite AlterWAN packet and routes said composite 

1 5 AlterWAN packet via a dedicated data path to an AlterWAN data path, said AlterWAN 

1 6 data path being defined as a high bandwidth, low latency, low hop count data path 

1 7 provided by one or more participating ISX/ISP internet service providers that links said 

1 8 source site and said destination site of said AlterWAN private tunnel, each participating 

1 9 ISX/ISP internet service provider being one which has been selected as having at least 

20 one high bandwidth, low latency, low hop count data path which can be used to transmit 
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2 1 said composite AlterWAN data packet either from said source site to said destination site 

22 or to another participating ISX/ISP internet service provider and which has routers which 

23 either already contain or which are configured to contain predetermined routing 

24 statements when said participating ISX/ISP agrees to provide routing services as part of 

25 said AlterWAN data path, said predetermined routing statements being ones which will 

26 recognize said IP destination address of each said composite AlterWAN data packets 

27 and cause said composite AlterWAN packets to be routed into said AlterWAN data path. 

1 13. [new] A method comprising: 

2 receiving composite AlterWAN packet comprised of an encapsulating IP packet 

3 having as its destination address an Internet Protocol address assigned to a firewall at 

4 said destination site and using said Internet Protocol address assigned to said firewall in 

5 the destination address field of said encapsulating IP packet to recognize said packet as 

6 a composite AlterWAN packet, said encapsulating IP packet including at its payload an 

7 encrypted IP packet having as its destination address an Internet Protocol address of a 

8 computing device at said destination site, said destination site being at an end of a 

9 private, wide area network using the internet as a backbone (hereafter referred to as an 

I 0 AlterWAN private tunnel) and reacting to recognition of said received packet as an 

I I AlterWAN composite packet by routing said composite AlterWAN packet to a firewall; 
1 2 in said firewall, decrypting a payload portion of said encrypted IP packet to 

1 3 generate a recovered IP packet; 

1 4 routing said recovered IP packet to a computing device to which said recovered 

15 IP packet is addressed. 

1 14. [new] A method of doing business comprising: 

2 selecting one or more participating ISX/ISP internet service providers 

3 which have one or more high bandwidth, low latency, low hop count data paths 

4 that can be used as at least part of a high bandwidth, low latency, low hop count 

5 data path for transmission of composite AlterWAN data packets between a source 

6 site and a destination site of a private wide area network using the internet as a 

7 backbone (hereafter referred to as the AlterWAN data path), where composite 

8 AlterWAN data packets are defined as internet protocol packets (hereafter the 

9 outer packet) which encapsulate other internet protocol packets (hereafter the 

I 0 inner packet), said inner packet having as its destination address the IP address 

II of a computing device at one end of said AlterWAN data path and at least the 
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1 2 payload section of said inner packet being encrypted, said outer packet having 

1 3 as its destination address an IP address of an untrusted side of a firewall at the 

1 4 same end of said AlterWAN data path as said computing device which has as its 

1 5 IP address said destination address of said inner packet; 

1 6 making agreements with said participating ISX/ISP internet service 

1 7 providers to always route composite AlterWAN packets into said AlterWAN data 

1 8 path such that said composite AlterWAN data packets will only travel on said 

1 9 AlterWAN data path; 

20 ensuring that said routing tables of routers of said one or more 

2 1 participating ISX/ISP internet service providers either already contain routing 

22 statements that will cause said composite AlterWAN data packets to be 

23 recognized and routed into said AlterWAN data path or are modified to contain 

24 such route statements. 

1 15. [new] A method of doing business comprising: 

2 selecting one or more participating ISX/ISP internet service providers 

3 which have one or more high bandwidth, low latency, low hop count data paths 

4 that can be used as at least part of a high bandwidth, low latency, low hop count 

5 data path for transmission of AlterWAN data packets between a source site and a 

6 destination site of a wide area network using the internet as a backbone 

7 (hereafter referred to as the AlterWAN data path), where AlterWAN data packets 

8 are defined as internet protocol packets which contain as a destination address 

9 one of said known IP addresses of computing devices at said source site or said 

I 0 destination site; 

I I making agreements with said participating ISX/ISP internet service 

1 2 providers to always route said AlterWAN packets into said AlterWAN data path 

1 3 such that said AlterWAN data packets will only travel on said AlterWAN data path; 

1 4 ensuring that said routing tables of routers of said one or more 

1 5 participating ISX/ISP internet service providers either already contain routing 

1 6 statements that will cause said AlterWAN data packets to be recognized and 

1 7 routed into said AlterWAN data path or are modified to contain such route 

1 8 statements. 

1 16. [new] A method of operating a router at an ISX/ISP comprising the steps: 

2 using said router to recognize AlterWAN data packets where AlterWAN data 
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3 packets are defined as internet protocol packets which contain as a destination address 

4 one of one or more known IP addresses of computing devices at a source site or a 

5 destination site of a wide area network using the internet as a backbone; 

6 looking up routing statements that are applicable to said AlterWAN data packets 

7 and using said routing statements to route said AlterWAN data packets into a high 

8 bandwidth, low latency, low hop count data path coupling said soure site to said 

9 destination site. 

1 17. [new] A method of operating a router at an ISX/ISP comprising the steps: 

2 using said router to recognize composite AlterWAN data packets where composite 

3 AlterWAN data packets are defined as internet protocol packets (hereafter the outer 

4 packet) which encapsulate other internet protocol packets (hereafter the inner packet), 

5 said inner packet having as its destination address one of one or more known IP 

6 addresses of computing devices at a source site or a destination site of a wide area 

7 network using the internet as a backbone and at least the payload section of said inner 

8 packet being encrypted, said outer packet having as its destination address an IP 

9 address of an untrusted side of a firewall at the same end of said AlterWAN data path as 

I 0 said computing device which has as its IP address said destination address of said inner 

I I packet; 

1 2 looking up routing statements that are applicable to said composite AlterWAN 

1 3 data packets and using said routing statements to route said composite AlterWAN data 

1 4 packets into a high bandwidth, low latency, low hop count data path coupling said soure 

1 5 site to said destination site. 

1 18. [new] A router at an ISX/ISP which is part of a private wide area network using the 

2 internet as a backbone, said router being conventional except that said router is coupled to a 

3 high bandwidth, low latency, low hop count data path and has been configured to contain 

4 routing statements that cause AlterWAN data packets to be recognized and routed into said high 

5 bandwidth, low latency, low hop count data path, where AlterWAN data packets are defined as 

6 internet protocol packets which contain as a destination address one of one or more known IP 

7 addresses of computing devices at a source site or a destination site of a wide area network 

8 using the internet as a backbone. 

1 19. [new] A router at an ISX/ISP which is part of a private wide area network using the 

2 internet as a backbone, said router being conventional except that said router is coupled to a 
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3 high bandwidth, low latency, low hop count data path and has been configured to contain 

4 routing statements that cause composite AlterWAN data packets to be recognized and routed 

5 into said high bandwidth, low latency, low hop count data path, where composite AlterWAN data 

6 packets are defined as internet protocol packets (hereafter the outer packet) which encapsulate 

7 other internet protocol packets (hereafter the inner packet), said inner packet having as its 

8 destination address one of one or more known IP addresses of computing devices at a source 

9 site or a destination site of a wide area network using the internet as a backbone and at least the 

I 0 payload section of said inner packet being encrypted, said outer packet having as its destination 

I I address an IP address of an untrusted side of a firewall at the same end of said AlterWAN data 

1 2 path as said computing device which has as its IP address said destination address of said inner 

1 3 packet. 
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